Form-based authentication with a JDBC realm in GlassFish

Let's change basic authentication to form-based authentication, so that we can customize the login page. We need to update <login-config> in web.xml. Replace the previous <login-config> block with the following:

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>courseManagementJDBCRealm</realm-name>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/login-error.jsp</form-error-page>
    </form-login-config>
</login-config>

We have replaced <auth-method> from BASIC to FORM. For form-based authentication, we need to specify form-login-page, which we have specified as login.jsp. form-error-page is optional, but we have set that to login-error.jsp.

The next step is to create login.jsp and login-error.jsp. Create both the files in the src/main/webapp folder with the following contents.

Here is the source code of login.jsp. We have configured it as the login page in <form-login-page>, as shown in the preceding code block:

<!DOCTYPE HTML>
<html>
<head>
<title>Admin Login</title>
</head>
<body>
    <form method=post action="j_security_check">
        <table>
            <tr>
                <td>User Name: </td>
                <td><input type="text" name="j_username"></td>
            </tr>
            <tr>
               <td>Password: </td>
               <td><input type="password" name="j_password"></td>
            </tr>
            <tr>
                <td colspan="2"><input type="submit" value="Login"></td>
            </tr>
        </table>
    </form>
</body>
</html>

For form-based authentication to work, there are certain requirements:

  1. The form action must be set to j_security_check
  2. The username input field must be named j_username
  3. The password input field must be named j_password

Here is the source code of login-error.jsp. We have configured it as the error page in <form-error-page>, as shown in the previous code block:

<!DOCTYPE HTML>
<html>
<head>
<title>Login Failed</title>
</head>
<body>
       Invalid user name or password<br>
       <a href="<%=request.getContextPath()%>/admin/admin.jsp">Try Again</a>
</body>
</html>

The error page shows the error message and displays the link to try again. Even though the link Try Again points to admin.jsp, because it is a protected resource, the user will be redirected to login.jsp. If the login is successful, then redirection to admin.jsp will happen.

It would be nice to provide an option to log out after the user has successfully logged in. This option can be added to admin.jsp. Add a link to log out in admin.jsp as follows:

<!DOCTYPE HTML>
<html>
<head>
<title>Course Management Admin</title>
</head>
<body>
       Welcome to Course Management Admin<br>
       <a href="../logout.jsp">Logout</a>
</body>
</html>

Create logout.jsp in the same folder as login.jsp with the following content:

<%@ page session="true"%>
Logged out <%=request.getRemoteUser()%>
<% session.invalidate(); %>

The logout page simply calls session.invalidate() to log the user out.

To see form-based authentication in action, build the CourseManagementMavenWebApp and CourseManagementMavenEAR projects (in the same order) by right-clicking on the projects and selecting Run As | Maven Install, and then deploy the application in GlassFish, as described in the Protecting access to folders in web applications section. 

Browse to http://localhost:8080/CourseManagementMavenWebApp/admin/admin.jsp. This time, the browser should display login.jsp, with the login form, instead of its own pop-up window for authentication.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.189.199